oidc-auth-manager/src/preferred-provider.js at 4a4d3991ab477ad0f9d658c37abbf59afed3ad44 · nodeSolidServer/oidc-auth-manager · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
'use strict'

const { URL } = require('whatwg-url')
const validUrl = require('valid-url')
const fetch = require('node-fetch')
const li = require('li')
const rdf = require('rdflib')

module.exports = {
  discoverProviderFor,
  parseProviderLink,
  preferredProviderFor,
  providerExists,
  validateProviderUri
}

/**
 * @param uri {string} Provider URI or Web ID URI
 *
 * @returns {Promise<string>}
 */
function preferredProviderFor (uri) {
  // First, determine if the uri is an OIDC provider
  return providerExists(uri)
    .then(providerUri => {
      if (providerUri) {
        return providerUri // the given uri's origin hosts an OIDC provider
      }

      // Given uri is not a provider (for example, a static Web ID profile URI)
      // Discover its preferred provider
      return discoverProviderFor(uri)
    })
}

/**
 * @param uri {string} Provider URI or Web ID URI
 *
 * @returns {Promise<string|null>} Returns the Provider URI origin if an OIDC
 *   provider exists at the given uri, or `null` if none exists
 */
function providerExists (uri) {
  let providerOrigin = (new URL(uri)).origin
  let providerConfigUri = providerOrigin + '/.well-known/openid-configuration'

  return fetch(providerConfigUri, { method: 'HEAD' })
    .then(result => {
      if (result.ok) {
        return providerOrigin
      }

      return null
    })
}

/**
 *
 * @param webId {string} Web ID URI
 *
 * @returns {Promise<string>} Resolves with the preferred provider uri for the
 *  given Web ID, extracted from Link rel header or profile body. If no
 *  provider URI was found, reject with an error.
 */
function discoverProviderFor (webId, issuer) {
  return discoverFromHeaders(webId)

    .then(providerFromHeaders => providerFromHeaders || discoverAllFromProfile(webId))

    .then(providerUri => {
      if (Array.isArray(providerUri)) {
        let list = providerUri
        let lastErr = null

        for (let i = 0; i < list.length; i++) {
          lastErr = null
          providerUri = list[i]
          if (providerUri) {
            providerUri = (new URL(providerUri)).origin
          }

          try {
            validateProviderUri(providerUri, webId) // Throw an error if empty or invalid
          } catch (err) {
            lastErr = err
          }

          if (lastErr === null && ((issuer && providerUri === issuer) || !issuer)) {
            return providerUri
          }
        }
        if (lastErr) {
          throw lastErr
        } else {
          validateProviderUri(null, webId) // Throw an error if empty or invalid
        }
      } else {
        // drop the path (provider origin only)
        if (providerUri) {
          providerUri = (new URL(providerUri)).origin
        }

        validateProviderUri(providerUri, webId) // Throw an error if empty or invalid

        return providerUri
      }
    })
}

/**
 * @param webId {string}
 *
 * @returns {Promise<string|null>}
 */
function discoverFromHeaders (webId) {
  return fetch(webId, { method: 'OPTIONS' })
    .then(response => {
      if (response.ok) {
        return parseProviderLink(response.headers)
      }

      return null
    })
}

function discoverAllFromProfile (webId) {
  const store = rdf.graph()

  const fetcher = rdf.fetcher(store)

  return fetcher.load(webId, { force: true })
    .then(response => {
      if (!response.ok) {
        let error = new Error(`Could not reach Web ID ${webId} to discover provider`)
        error.statusCode = 400
        throw error
      }

      let providerTerm = rdf.namedNode('http://www.w3.org/ns/solid/terms#oidcIssuer')
      let idp = store.each(rdf.namedNode(webId), providerTerm, undefined)
      let list = []

      for (let i = 0; i < idp.length; i++) {
        if (idp[i].uri) {
          list.push(idp[i].uri)
        }
      }

      return list
    }, err => {
      let error = new Error(`Could not reach Web ID ${webId} to discover provider`)
      error.cause = err
      error.statusCode = 400
      throw error
    })
}

/**
 * Returns the contents of the OIDC issuer Link rel header.
 *
 * @see https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
 *
 * @param headers {Headers} Response headers from an OPTIONS call
 *
 * @return {string}
 */
function parseProviderLink (headers) {
  let links = li.parse(headers.get('link')) || {}

  return links['http://openid.net/specs/connect/1.0/issuer']
}

/**
 * Validates a preferred provider uri (makes sure it's a well-formed URI).
 *
 * @param provider {string} Identity provider URI
 *
 * @throws {Error} If the URI is invalid
 */
function validateProviderUri (provider, webId) {
  if (!provider) {
    let error = new Error(`OIDC issuer not advertised for ${webId}.
    See https://github.com/solid/webid-oidc-spec#authorized-oidc-issuer-discovery`)
    error.statusCode = 400
    throw error
  }

  if (!validUrl.isUri(provider)) {
    let error = new Error(`OIDC issuer for ${webId} is not a valid URI: ${provider}`)
    error.statusCode = 400
    throw error
  }
}